search

firebase / firebase-tools-ui

A local-first UI for Firebase Emulator Suite.
https://firebase.googleblog.com/2020/05/local-firebase-emulator-ui.html
Apache License 2.0
261 stars 60 forks source link

Firebase tools rejects any refreshed token after one week which deem it revoked #1026

Open m-elgamal opened 3 months ago

m-elgamal commented 3 months ago

Describe the bug Emulator always revokes tokens that are older than one week

To Reproduce When using firebase emulator, after a week of authentication, token passes the expired token check but never pass the token revoked check

Facing this issue for few month now for a project i'm working on. Had to debug through the firebase tools as follows: in node_modules/firebase-admin/lib/base-auth.js in the verifyDecodedJWTNotRevokedOrDisabled function:

decodedIdToken = {
    "name": "",
    "picture": "",
    "roles": [
        "admin"
    ],
    "email": "*****************",
    "email_verified": false,
    "auth_time": 1704074185,   <<<<<<-------------------------------
    "user_id": "hcHenhueMtmiDDa8MUXMg30jXIj0",
    "firebase": {
        "identities": {
            "email": [
                "****************"
            ]
        },
        "sign_in_provider": "password"
    },
    "iat": 1711809021,
    "exp": 1711812621,
    "aud": "************",
    "iss": "https://securetoken.google.com/togonowreact",
    "sub": "hcHenhueMtmiDDa8MUXMg30jXIj0",
    "uid": "hcHenhueMtmiDDa8MUXMg30jXIj0"
}

Emulator will always throw token revoked error if the login is over a week even though the token has been refreshed

const authTimeUtc = decodedIdToken.auth_time * 1000; // Get user tokens valid after time in milliseconds UTC. const validSinceUtc = new Date(user.tokensValidAfterTime).getTime(); // Check if authentication time is older than valid since time. if (authTimeUtc < validSinceUtc) { throw new error_1.FirebaseAuthError(revocationErrorInfo); }

node_modules/firebase-admin/lib/base-auth.js: Screenshots image

As of now, the decodedidToekn resolved to the following PST time:

authTimeUtc: 1704074185000
which resolves to: Sunday, December 31, 2023 5:56:25 PM

validSinceUtc: new Date(user.tokensValidAfterTime).getTime()
1711179389000
which resolves to: Saturday, March 23, 2024 12:36:29 AM

Which always results true on the following if statement

                if (authTimeUtc < validSinceUtc) {
                    throw new error_1.FirebaseAuthError(revocationErrorInfo);
                }
m-elgamal commented 2 months ago

Bump!